Vulnerabilities > CVE-2004-0209 - Remote Buffer Overflow vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

microsoft

critical

nessus

exploit available

NVD

Published: 2004-11-03

Updated: 2018-10-12

Summary

Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows 2003 Server R2 Microsoft Windows XP *	3

Exploit-Db

description	MS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032). CVE-2004-0209. Remote exploit for windows platform
id	EDB-ID:584
last seen	2016-01-31
modified	2004-10-20
published	2004-10-20
reporter	houseofdabus
source	https://www.exploit-db.com/download/584/
title	Microsoft Windows Metafile .emf Heap Overflow Exploit MS04-032

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS04-032.NASL
description	The remote host is missing a security update for Microsoft Windows (840987). The missing security update fixes issues in the following areas : - Window Management - Virtual DOS Machine - Graphics Rendering Engine - Windows Kernel A local attacker could exploit any of these vulnerabilities to cause a local denial of service or obtain higher privileges on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	15457
published	2004-10-12
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15457
title	MS04-032: Security Update for Microsoft Windows (840987)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15457); script_version("1.43"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2004-0207", "CVE-2004-0208", "CVE-2004-0209", "CVE-2004-0211" ); script_bugtraq_id(11365, 11369, 11375, 11378); script_xref(name:"CERT", value:"806278"); script_xref(name:"MSFT", value:"MS04-032"); script_xref(name:"MSKB", value:"840987"); script_name(english:"MS04-032: Security Update for Microsoft Windows (840987)"); script_summary(english:"Determines if hotfix 840987 has been installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host is missing a security update for Microsoft Windows (840987). The missing security update fixes issues in the following areas : - Window Management - Virtual DOS Machine - Graphics Rendering Engine - Windows Kernel A local attacker could exploit any of these vulnerabilities to cause a local denial of service or obtain higher privileges on the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-032"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/12"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-032'; kb = '840987'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Win32k.sys", version:"5.2.3790.198", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:1, file:"Win32k.sys", version:"5.1.2600.1581", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:0, file:"Win32k.sys", version:"5.1.2600.166", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Win32k.sys", version:"5.0.2195.6966", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"4.0", file:"Win32k.sys", version:"4.0.1381.7292", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"4.0", file:"Win32k.sys", version:"4.0.1381.33580", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2004-12-09T08:46:00.000-04:00

class

vulnerability

contributors

name	Ingrid Skoog
organization	The MITRE Corporation

description

family

windows

oval:org.mitre.oval:def:1872

status

accepted

submitted

2004-10-14T09:59:00.000-04:00

title

Windows XP Enhanced Metafile Image Format Rendering Buffer Overflow

version

accepted

2004-11-17T10:00:00.000-04:00

class

vulnerability

contributors

name	Ingrid Skoog
organization	The MITRE Corporation

description

family

windows

oval:org.mitre.oval:def:2114

status

accepted

submitted

2004-10-13T11:11:00.000-04:00

title

Windows 2000 Enhanced Metafile Image Format Rendering Buffer Overflow

version

accepted

2004-11-17T10:00:00.000-04:00

class

vulnerability

contributors

name Ingrid Skoog
organization The MITRE Corporation
name Ingrid Skoog
organization The MITRE Corporation

description

family

windows

oval:org.mitre.oval:def:2428

status

accepted

submitted

2004-10-13T11:29:00.000-04:00

title

Windows XP/Server 2003 (64-Bit) Enhanced Metafile Image Format Rendering Buffer Overflow

version

Saint

bid	11375
description	Windows Metafile rendering buffer overflow
id	win_patch_wmf
osvdb	10692
title	windows_metafile
type	client

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:8643
last seen	2017-11-19
modified	2008-06-05
published	2008-06-05
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-8643
title	MS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032)

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

Saint

Seebug

References